Archive for November 2017

Google Sued for Invading the Privacy of Millions in UK

Google is being sued on behalf of millions in the UK over privacy violations, after it allegedly secretly accessed their browsing data on iPhones.

The former director of consumer group Which?, Richard Lloyd, is seeking compensation for up to 5.4m Britons in the equivalent of a class-action lawsuit. He alleges that Google circumvented the default privacy settings for Safari on iPhones and iPads between the summer of 2011 and spring of 2012, in a clandestine effort to surreptitiously collect browsing histories of individuals and serve targeted advertising.

The issue was first brought up back in 2013, but Google argued at the time that it did not have to answer to the English courts and that UK privacy laws don’t apply to it, as an American company. But in 2015, Britain’s Court of Appeal ruled that UK consumers do actually have the right to sue Google over the issue, after which the internet behemoth agreed to an undisclosed settlement in a subsequent lawsuit. Lloyd is now bringing a much larger “representative action”—which will pay out £300 to each plaintiff. People who owned an iPhone or iPad during the effective time period will be automatically included in the claim.

The claim is that Google manipulated a feature in Apple’s Safari web browser in order to place the DoubleClick ID Cookie on Apple devices. Allegedly, Google used the ‘Form Submission Rule’ exception within Safari (which allows users to click on Like buttons and similar interactions) to then trick the browser into thinking the user had visited the first-party domain that the DoubleClick cookie is sent from—thus allowing Google to set the ID Cookie and update it as a third-party cookie via other web sites. With that, it became able to trace a user’s browsing history.

“I believe that what Google did was quite simply against the law,” said Lloyd. “Their actions have affected millions, and we’ll be asking the courts to remedy this major breach of trust. Through this action, we will send a strong message to Google and other tech giants in Silicon Valley that we’re not afraid to fight back if our laws are broken.”

Lee Munson, security researcher at Comparitech.com said that while the incoming General Data Protection Regulation (GDPR) will do little to change the illegality of collecting personal information without people’s consent, it will up the ante in terms of the financial penalties that could be handed to any company that engages in any such activity.

"Given how Google has previously been fined heavily for monitoring browsing histories, it is not that surprising to learn about its alleged historic collection of data from iPhone users,” he said, via email. “Also, considering how that data was reportedly collected, despite Apple having privacy settings in place to prevent it, it would not be surprising at all to find out that this is not an isolated case.”

He added, “Hopefully, therefore, this will be the last time we hear of any alleged surreptitious data collection from unknowing victims who may have believed they had taken the necessary steps to prevent it occurring."

Consumers Overwhelmingly Blame Businesses for Breaches

The majority of consumers—70%—would stop doing business with companies following a data breach; yet they fail to take any responsibility for their own poor data security habits.

According to a Gemalto survey of more than 10,000 consumers worldwide, only a quarter (27%) feel businesses take customer data security very seriously, and 70% would take their business elsewhere after a breach.

While 62% of consumers feel businesses are responsible for data security, many have their own poor security hygiene. For instance, 41% fail to take advantage of security measures available to them, such as two-factor authentication for social media accounts. In addition, more than half (56%) still use the same password for multiple online accounts.

This state of affairs is resulting in businesses being forced to take additional steps to protect consumers and enforce robust security measures, as well as educate them on the benefits of adopting these. Retailers (61%), banks (59%) and social media sites (58%) were found to have a lot of work to do, with these being sectors that consumers would leave if they suffered a breach.

“Consumers are evidently happy to relinquish the responsibility of protecting their data to a business, but are expecting it to be kept secure without any effort on their part,” said Jason Hart, CTO, Identity and Data Protection at Gemalto. “In the face of upcoming data regulations such as GDPR, it’s now up to businesses to ensure they are forcing security protocols on their customers to keep data secure. It’s no longer enough to offer these solutions as an option. These protocols must be mandatory from the start—otherwise businesses will face not only financial consequences, but also potentially legal action from consumers.”

Despite their lack of secure behavior, consumers’ security concerns are high, as two-thirds (67%) worry they will be victims of a data breach in the near future. Consequently, consumers now hold businesses accountable—if their data is stolen, the majority (93%) of consumers would take or consider taking legal action against the compromised business.

When it comes to the businesses that consumers trust least, over half (58%) believe that social media sites are one of the biggest threats to their data, with one in five (20%) fearful of travel sites—worryingly, one in 10 (9%) think no sites pose a risk to them.

On the other hand, a third (33%) of consumers trust banks the most with their personal data, despite their being frequent targets and victims of data breaches, with industry-certified bodies (12%), device manufacturers (11%) and the government (10%) next on the list for trustworthiness.

Hart continued, “It’s astonishing that consumers are now putting their own data at risk, by failing to use these measures, despite growing concerns around their security. It’s resulting in an alarming amount of breaches—80%—being caused by weak or previously stolen credentials. Something has to change soon on both the business and consumer sides or this is only going to get worse.”

Over a Quarter of Ransomware Now Targets Corporates

The number of ransomware attacks targeting business users in 2017 rose to 26% as the number of new families discovered halved, according to new stats released this week by Kaspersky Lab.

The Russian AV firm claimed that 26.2% of attacks over the past year were aimed at corporates, with just over 4% targeting SMBs.

This would seem to represent just a small increase from the 22.6% of attacks aimed at business users in 2016. However, the vendor said these figures didn’t include the three mega ransomware worm campaigns of WannaCry, NotPetya (ExPetr) and BadRabbit.

There are other signs of an evolution in the ransomware landscape: the number of new malware families discovered by Kaspersky Lab dropped from 62 last year to just 38 in 2017.

However, it appears as if cyber-criminals are instead looking to modify existing strains in order to bypass security filters: the number of mods grew from 54,000 last year to 96,000 this.

Ransomware remains a serious threat to organizations, with two-thirds (65%) of those hit claiming to have lost a “significant” amount or even all of their data. Even the 29% that managed to decrypt their data said they lost a “significant” number of files.

Over a third (36%) ignored the advice of police and security experts and paid the ransom, but one in six never managed to recover their data.

There are also signs that ransomware is having a longer-lasting impact on the victim organization: 34% claimed they took a week or longer to recover from such an incident, versus 29% in 2016.

“The headline attacks of 2017 are an extreme example of growing criminal interest in corporate targets. We spotted this trend in 2016, it has accelerated throughout 2017, and shows no signs of slowing down,” argued senior malware analyst, Fedor Sinitsyn.

“Business victims are remarkably vulnerable, can be charged a higher ransom than individuals and are often willing to pay up in order to keep the business operational. New business-focused infection vectors, such as through remote desktop systems are not surprisingly also on the rise.”

This vector became increasingly popular in 2017, used to spread Crysis, Purgen/GlobeImposter and Cryakl ransomware variants, among others.

However, there was some good last year, after decryption keys were published for strains including ES-NI, xdata, Petya/Mischa/GoldenEye and Crysis — although the latter was subsequently resurrected.

“Our initial investigations have shown the unauthorized access was gained via a single and isolated user account which has now been disabled. We have also put in place additional security measures to best prevent a similar incident happening in the future. Clarksons would like to reassure clients and shareholders that this incident has not, and does not, affect its ability to do business.”

It claimed that the hacker may release some of the data, but gave no indication of the kind of information that was stolen, or how many records, saying only that it is “confidential” and that “lawyers are on standby wherever needed to take all necessary steps to preserve the confidentiality in the information.”

This lack of transparency may be harder to get away with when the GDPR comes into force, with firms required to give a detailed account to regulators within 72 hours of discovery of a breach.

Clarksons said it is working with police and data security experts to get to the bottom of the incident and has notified the regulators. It has also accelerated roll-out of IT security measures as part of a program that began earlier in the year.

Comments from CEO Andi Case within the statement suggest that the hackers have been trying to extort the company with the stolen data they now hold.

“We hope that, in time, we can share the lessons learned with our clients to help stop them from becoming victims themselves,” he said. “In the meantime, I hope our clients understand that we would not be held to ransom by criminals, and I would like to sincerely apologize for any concern this incident may have understandably raised.”

Uber Breach Affected 2.7 Million UK Users

Approximately 2.7 million UK riders and drivers were affected by the recently disclosed breach of ride hailing service Uber, the firm has finally revealed.

In an update to its Help section, the controversial firm claimed it could not be more accurate about the figure, which is said to represent around half of all UK users.

It said:

“This is an approximation rather than an accurate and definitive count because sometimes the information we get through the app or our website that we use to assign a country code is not the same as the country where a person actually lives.”

Uber reiterated that the breach affected names, email addresses and mobile phone numbers for Uber customers and that its “outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers or dates of birth were downloaded”.

However, that wasn’t good enough for the Mayor of London, Sadiq Khan, who described it as a “catastrophic breach”.

“This latest shocking development about Uber will alarm millions of Londoners whose personal data could have been stolen by criminals,” he said in a statement.

“Uber needs to urgently confirm which of their customers are affected, what is being done to ensure these customers don’t suffer adversely, and what action is being taken to prevent this happening again in the future.”

The incident will do nothing to help Uber’s case as it fights a decision by TfL and the mayor to revoke its license.

Hiwot Mendahun, cyber resilience expert at Mimecast, argued that users need to be extra vigilant against suspicious emails, texts or even phone calls from potential scammers.

“Impersonation attacks are already the easiest way to trick people in giving away money or valuable data and easily bypass many traditional security defences,” he added.

“Thankfully, it appears that no trip location histories were included in the breach, as the privacy and safety implications of that would be horrendous.”

Uber shocked the world last week when CEO Dara Khosrowshahi admitted the firm had covered up a breach of info on 57m riders and drivers last year, after paying the hackers $100,000 to delete the data.

Cobalt Malware Spreads Using 17-Year-Old Vulnerability

Cobalt-based malware is spreading by exploiting a 17-year-old vulnerability.

FortiGuard Labs’ Kadena Threat Intelligence System (KTIS) has uncovered a spam campaign that uses a remote code execution document vulnerability, CVE-2017-11882, that although known about for the better part of two decades, was only disclosed and patched by Microsoft in November.

“Not long after its disclosure threat actors were quick to take advantage of this vulnerability to deliver a malware using a component from a well-known penetration testing tool, Cobalt Strike,” FortiGuard said, in an analysis of the campaign. “Threat actors are always on the lookout for vulnerabilities to exploit and use them for malware campaigns like this. This goes both for new and old vulnerabilities, whether they have been published or not. We frequently see malware campaigns that exploit vulnerabilities that have been patched for months or even years. This may have come from an assumption that there are still a significant number of users out there that don’t take software updates seriously, which sadly, is far too often the case.”

The spam email poses as a notification from Visa about some rule changes in its payWave service in Russia. The attachments include password-protected archives—typically this tactic is used to prevent auto-analysis systems from extracting the malicious files for sandboxing and detection. This gambit is different.

“This is clearly not the threat actors’ intention for this campaign though, since a copy of the malicious document is out in the open,” FortiGuard said. “So, it’s possible that this is only to trick the user into thinking that securities are in place, which is something one would expect in an email from a widely used financial service.”

The PowerShell script payload contains anti-detection beacons, and allows threat actors to control the victim’s system and initiate lateral movement procedures in the network by executing a wide array of commands.

“It is also notable that in this case these cyber-criminals were able to load Cobalt Strike’s module without the need to write it as a physical file,” added the firm. “Instead, they are using trusted Microsoft Windows tools to run client-side scripts, which can be overlooked by traditional AV products.”

Conference calls present a significant and overlooked security gap in the enterprise, according to a new research study from LoopUp.

The firm polled 1000 business professionals and found that whilst 70% said it was normal to discuss confidential information on conference calls, more than half admitted that it is also normal not to know who was on the line. This is often due to imperfections with traditional dial-in conferencing, LoopUp pointed out, as with a lack of visibility and control over meetings users cannot see who’s joined or take action to remove unwanted guests.

“Tools with web-based UIs can help in this respect, but are used only in the minority of cases”, LoopUp said in its report.

What’s more, it was discovered that 66% of professionals use the same passcodes to dial-in to calls for up to a year or more which, as is the case when failing to regularly change any form of log-in credential, opens users and businesses up to security risks should they fall into the hands of malicious actors.

However, dial-in conferencing remains the primary way business people participate in conference calls, regardless of whether they have access to web or video conferencing tools.

“It’s not surprising that the majority of business people still default to dial-in to join their conference calls,” said LoopUp co-CEO, Steve Flavell. “While there is an abundance of capable software products for conferencing, most business people neither have the time nor inclination to learn how to use them, and they certainly don’t want to learn by trial and error during their meetings.”

Speaking to Infosecurity Steve Durbin, managing director, Information Security Forum, said it’s vital that employees are taught to treat dial-in information with care, as it is often company confidential information.

“Never disclose the chairman’s code outside of a small number of trusted individuals, monitor who has the code and how it is being used and only share participant codes with users that are required,” he added.

“For those calls that are truly confidential – perhaps board calls or those with investors where the content is not intended to be made public – consider using a different calling bridge from the norm. For smaller companies, WhatsApp and Skype are effective ways of pulling together small groups for calls where you are able to at least know who you have on the call.”

Euro Police Arrest Over 100 Money Mules

European law enforcers are celebrating after identifying hundreds of money mules and making over 100 arrests as part of a coordinated global clampdown.

During the European Money Mule Action (EMMA) which ran from November 20-24, police from 26 countries supported by Europol, Eurojust and the European Banking Federation (EBF) made 159 arrests.

In addition, cops claimed to have identified 766 money mules and conducted 409 interviews. Importantly, the operation targeted not only the mules themselves but also their organizers — 59 of whom were identified.

Money mules are recruited by cybercrime gangs to launder cash stolen in online campaigns, often lured by the promise of easy cash.

Many are unaware that they’re actually playing a vital role in the cybercrime ecosystem, with police claiming that the funds they help launder are often pumped back into organised crime — including drug dealing, human trafficking and online fraud.

In the EMMA campaign period, Europol claimed that support from 257 banks and private-sector partners uncovered 1719 money mule transactions, with total losses amounting to almost €31m (£27m, $37m).

Some 90% of these were linked to cybercrime offenses including phishing, online auction fraud, Business Email Compromise (BEC) and CEO fraud.

“EMMA3 shows how a close public-private partnership between law enforcement, judicial authorities and the banking sector is essential to effectively tackle the illegal activity of money muling. We remain fully committed to working together in the fight against money laundering and other financial crimes and to further support joint initiatives like EMMA,” noted a statement from Europol, Eurojust and the European Banking Federation.

The news comes as new stats from Cifas on Monday revealed the number of UK money mules aged 18-24 has doubled since 2013, and risen 75% from last year to this.

“Uncovering these money muling schemes and informing the public are vital to prevent criminals from taking advantage of unsuspecting individuals,” the Europol statement continued. “Legitimate companies will never ask individuals to use their bank accounts or transfer money through their accounts. Nobody should give access, or provide their bank accounts or electronic wallets, to unknown or untrusted people.’’

Elite Oxbridge Alumni Club Reports Stolen Hard Drive

Thousands of Oxbridge alumni may have had their personal details compromised after it emerged that a hard drive containing the data was stolen from the headquarters of an elite club.

The exclusive Oxford and Cambridge Club is said to have written to its 5000 members this week urging them to check for suspicious activity on their bank accounts.

The theft of the back-up hard drive from a locked room at the club’s Pall Mall HQ was discovered on November 16 and a police investigation has now been launched, with private investigators also hired.

Alongside illustrious Oxbridge alumni such as broadcaster Stephen Fry and the Astronomer Royal, Lord Rees, 100 members of staff are also thought to have been affected. As honorary members, the Prince of Wales and Duke of Edinburgh are not thought to have had their details taken

Stolen information is said to include names, home addresses, phone numbers and some bank details.

“This situation has arisen as a result of the theft of a storage disk, and not as a breach of the cybersecurity system, and although the data contained on the disk is protected by multiple layers of security and heavy password protection, we have been advised by data specialists that there is a very remote chance that information could be obtained.”

Jon Fielding, EMEA managing director at Apricorn, argued that organizations must protect sensitive data at rest like this with strong encryption as a form of insurance against the costs resulting from a subsequent breach or data leak.

"Yes, encrypted drives carry a higher cost than those that are unencrypted but just look at the cost of the breach reported here — hiring of private investigators, the workload required to notify up to 5000 individuals compromised, to offer remedy and, potentially the most costly, the involvement of the of the Information Commissioner's Office (ICO),” he continued.

“The ICO has the authority to fine organizations it deems in breach of the UK Data Protection Act up to £500,000. This figure rises markedly to the greater sum of €20m or 4% of turnover in May 2018 when the General Data Protection Regulation (GDPR) comes into effect."

Apple Works to Fix Serious Mac Security Bug

Apple has confirmed reports of a significant ‘root bug’ affecting iMacs and MacBooks upgraded to the new version of macOS High Sierra.

The flaw, discovered by Turkish developer Lemin Ergin, allows somebody access to another’s machine without the need for a password by simply entering ‘root’ as a username and hitting enter in the systems admin settings. Doing so apparently grants powerful administrator rights including being able to delete files, change passwords and add/remove system accounts.

Apple is taking the issue seriously, offering the following statement:

“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012.

“If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”

It is not known when a patch will be released by Apple for the flaw, but with the firm working on the bug one should be expected in the coming hours. In the meantime, it’s worth bearing in mind that the vulnerability cannot be exploited remotely, so anyone targeting Macs would need physical access to a machine which would also need to be fully open and unlocked for the hack to occur.

“It wasn’t that long ago that Apple was winning the desktop security space by a large margin, primarily through the advantage of obscurity versus its Windows competition,” said Lee Munson, security researcher for Comparitech.com. “Times have changed though and we can no longer say that Macs don’t get viruses and nor can we say that they are immune to potentially very serious bugs either.”

The latest of those bugs to emerge is about as serious as it gets, he added, as the ability to gain admin rights to any machine via a few key presses poses tremendous risk to those devices, the information contained on them and the networks they connect to.

“Of course, this is all mitigated by the fact that remote access can only be gained if the bug is first leveraged through physical access to the device, so home users have very little to worry about and businesses should also be okay, as long as they are on top of access control and visitor policies.

“Even so, all Mac owners would be well advised to install the resultant patch, just as soon as it becomes available.”